Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 3A881200D18 for ; Wed, 11 Oct 2017 12:07:51 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 38BBB1609E4; Wed, 11 Oct 2017 10:07:51 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 583121609CA for ; Wed, 11 Oct 2017 12:07:50 +0200 (CEST) Received: (qmail 6848 invoked by uid 500); 11 Oct 2017 10:07:49 -0000 Mailing-List: contact dev-help@hawq.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hawq.incubator.apache.org Delivered-To: mailing list dev@hawq.incubator.apache.org Received: (qmail 6837 invoked by uid 99); 11 Oct 2017 10:07:49 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Oct 2017 10:07:49 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 5D44019659F for ; Wed, 11 Oct 2017 10:07:48 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -4.021 X-Spam-Level: X-Spam-Status: No, score=-4.021 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id WbbDnReUhegL for ; Wed, 11 Oct 2017 10:07:46 +0000 (UTC) Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with SMTP id 533365FCC4 for ; Wed, 11 Oct 2017 10:07:45 +0000 (UTC) Received: (qmail 6492 invoked by uid 99); 11 Oct 2017 10:07:44 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Oct 2017 10:07:44 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 833F4E8F1F; Wed, 11 Oct 2017 10:07:43 +0000 (UTC) From: radarwave To: dev@hawq.incubator.apache.org Reply-To: dev@hawq.incubator.apache.org References: In-Reply-To: Subject: [GitHub] incubator-hawq-docs pull request #131: Document extending KDC ticket interva... Content-Type: text/plain Message-Id: <20171011100743.833F4E8F1F@git1-us-west.apache.org> Date: Wed, 11 Oct 2017 10:07:43 +0000 (UTC) archived-at: Wed, 11 Oct 2017 10:07:51 -0000 Github user radarwave commented on a diff in the pull request: https://github.com/apache/incubator-hawq-docs/pull/131#discussion_r143965363 --- Diff: markdown/clientaccess/kerberos.html.md.erb --- @@ -697,3 +753,172 @@ Follow these steps to install and configure a Kerberos KDC server on a Red Hat E root@kdc-server$ /sbin/chkconfig krb5kdc on root@kdc-server$ /sbin/chkconfig kadmin on ``` + +### Install and Configure KDC Server on Active Directory + +Follow these steps to install and configure a Kerberos KDC server on a Windows host with Active Directory. + +1. Log into the Windows server as a user with administrator permissions. + +2. From the **Start** menu, select **Control Panel** \> **Adminisrative Tools** \> **Active Directory Users and Computers**. + + Note: If there is no entry for **Active Directory Users and Computers**, Active Directory service may not have been correctly installed. + +3. Go to the DATALOCAL entry in the directory tree of the **Active Directory Users and Computers** window and right click on **Managed Service Accounts**. + +4. Select **New** \> **User**. + +5. A **New Object - User** popup window will appear. In the **First name:** window, enter `gpadmin` and also enter `gpadnub` as the **User logon name**. + +6. Click **Next**. Create and confirm a password. Enable the checkbox for **Password never expires**. Click **Next**, then **Finish**. + +7. Log into Windows as Administrator. Depending on your Windows environment, either open a Windows power shell or click **Start** and open a command prompt session and select **Run as Administrator** \> **Yes** to open an administrator window. + +8. Add a Service Principal Name (SPN) for the account just created: + + ``` shell + PS C:\Users\Administrator> setspn -A postgres/hdp3.example.com gpadmin + ``` + +9. Generate a keytab file by using the `ktpass` command. This command takes the form: + + ``` shell + ktpass -princ postgres/ -pass -mapuser -crypto ALL -ptype KRB5_NT_PRINCIPAL -out -kvno 0 + ``` + For example, to create `hdp3.keytab` for gpadmin on hdp3.mydomain.com@DATA.LOCAL: + + ``` shell + PS C:\Users\Administrator> ktpass -princ postgres/hdp3.mydomain.com@DATA.LOCAL -pass abcd1234 -mapuser gpadmin -crypto ALL -ptype KRB5_NT_PRINCIPAL -out hdp3.keytab -kvno 0 + + Targeting domain controller: WIN-TIH2EBEERUK.DATA.LOCAL + + Using legacy password setting method + Key created. + Key created. + Key created. + Key created. + Key created. + Output keytab to hdp3.keytab: + Keytab version: 0x502 + keysize 61 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x1 (DES-CBC-CRC) keylength 8 (0xa8d0405789a8469e) +keysize 61 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x3 (DES-CBC-MD5) keylength 8 (0xa8d0405789a8469e) +keysize 69 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x17 (RC4-HMAC) keylength 16 (0x161cff084477fe596a5db81874498a24) +keysize 85 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x12 (AES256-SHA1) keylength 32 (0x20648bd82de77bf66a1dcac4b3050bc308f2cc38f4a13e814ad5bd30e67ef388) +keysize 69 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x11 (AES128-SHA1) keylength 16 (0xa026bb25aa495af5334cd4f185d33071): + ``` + +10. Transfer the generated keytab file to the HDB master. For example: + + ``` shell + root@kdc-server$ scp /etc/ad_keytab/keytabs/hawq.service.keytab :/etc/ad_keytab/keytabs/hawq.service.keytab + ``` +Change the ownership of the keytab file to `gpadmin:gpadmin` and the mode to `600`. + + + ``` shell + root@kdc-server$ ssh chown gpadmin:gpadmin /etc/ad_keytab/keytabs/hawq.service.keytab + root@kdc-server$ ssh chmod 600 /etc/ad_keytab/keytabs/hawq.service.keytab + ``` + +***Can you use automated kerberos setup on Ambari?** + +11. Log into HAWQ through the administrator window and install the Kerberos packages on the HAWQ master. + +12. Change the ticket renewal interval. + +13. Edit the `.etc/krb5.conf` configuration file to define the Kerberos realm for the cluster. + + **Can you set up with PS C:\Users\Administrator> ? What if you use Ambari? This page has commands for Powershell: + https://hortonworks.com/blog/enabling-kerberos-hdp-active-directory-integration/** --- End diff -- We can remove reference of this link as it's kind of out of date and do not have too much valuable for our settings. ---